(audit 6.2.1) CATValidator treats failed balanceOf() reads as zero

[reednaa]

The Solady lib returns 0 balance if the balanceOf call fails. This could potentially be exploited if a non-0 token balance could be trigger to revert reporting user balance as 0 (instead of true amount).

This PR fixes this issue by using the checkBalanceOf function from Solidity which returns a success boolean.

A test has been included to validate the error.

[coderabbitai]

Warning

Rate limit exceeded

@reednaa has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 29 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 37 minutes and 29 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f357b99a-68bd-4b67-b4e3-eab2d2376150

📥 Commits

Reviewing files that changed from the base of the PR and between 19e16e4 and a1bc95f.

⛔ Files ignored due to path filters (2)

• solidity/foundry.lock is excluded by !**/*.lock
• typescript/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (107)

• .github/workflows/bun-test.yml
• .github/workflows/forge-test.yml
• .github/workflows/olumpixIntegratedSecurity.yml.disabled
• .github/workflows/olympixMutationTests.yml.disabled
• .github/workflows/test.yml
• .gitignore
• .gitmodules
• .wake/extension/local-local-chain-adf464c3-7274-4319-9d83-a250b3076ea0.json
• AGENTS.md
• README.md
• lib/forge-std
• remappings.txt
• script/deploy.s.sol
• snapshots/CatapultarCallsTest.json
• snapshots/CatapultarFactoryTest.json
• snapshots/CatapultarMinimalTest.json
• snapshots/CatapultarUpgradeableTest.json
• solidity/.env.example
• solidity/README.md
• solidity/deployments/tron.json
• solidity/foundry.toml
• solidity/lib/forge-std
• solidity/lib/solady
• solidity/lib/stowaway
• solidity/remappings.txt
• solidity/script/deploy.s.sol
• solidity/script/multichain.s.sol
• solidity/script/setupanvil.s.sol
• solidity/script/tron/deploy-catapultar.ts
• solidity/snapshots/CatapultarCallsTest.json
• solidity/snapshots/CatapultarFactoryTest.json
• solidity/snapshots/CatapultarFactoryTronTest.json
• solidity/snapshots/CatapultarMinimalTest.json
• solidity/snapshots/CatapultarMinimalTronTest.json
• solidity/snapshots/CatapultarUpgradeableTest.json
• solidity/snapshots/CatapultarUpgradeableTronTest.json
• solidity/src/CATValidator.sol
• solidity/src/CallProxy.sol
• solidity/src/Catapultar.sol
• solidity/src/CatapultarFactory.sol
• solidity/src/CatapultarFactory.tron.sol
• solidity/src/libs/BitmapNonce.sol
• solidity/src/libs/ERC7821LIFI.sol
• solidity/src/libs/IntentExecutor.sol
• solidity/src/libs/KeyedOwnable.sol
• solidity/src/libs/LibCalls.sol
• solidity/src/libs/LibClone.tron.sol
• solidity/src/libs/LibExecutionConstraint.sol
• solidity/test/CATValidator.t.sol
• solidity/test/CallProxy.t.sol
• solidity/test/Catapultar/Catapultar.base.t.sol
• solidity/test/Catapultar/Catapultar.minimal.t.sol
• solidity/test/Catapultar/Catapultar.upgradable.t.sol
• solidity/test/CatapultarFactory.t.sol
• solidity/test/Integration.t.sol
• solidity/test/Tron/Catapultar/Catapultar.minimal.tron.t.sol
• solidity/test/Tron/Catapultar/Catapultar.upgradable.tron.t.sol
• solidity/test/Tron/CatapultarFactory.tron.t.sol
• solidity/test/helpers/CATValidator.t.sol
• solidity/test/helpers/CallProxy.t.sol
• solidity/test/helpers/libs/LibExecutionConstraint.t.sol
• solidity/test/libs/ERC7821LIFI.t.sol
• solidity/test/libs/IntentExecutor.t.sol
• solidity/test/libs/KeyedOwnable.t.sol
• solidity/test/libs/LibCalls.t.sol
• solidity/test/libs/LibExecutionConstraint.t.sol
• solidity/test/mocks/MockCatapultar.sol
• solidity/test/mocks/MockERC20.sol
• solidity/test/mocks/MockERC7821LIFI.sol
• solidity/test/mocks/MockKeyedOwnable.sol
• solidity/test/solady/ERC7821.t.sol
• solidity/test/solady/mocks/MockERC7821.sol
• src/CatapultarFactory.sol
• test/CatapultarFactory.t.sol
• typescript/.gitignore
• typescript/.husky/pre-commit
• typescript/LICENSE
• typescript/README.md
• typescript/anvil.state
• typescript/package.json
• typescript/scripts/rewrite-dist-imports.mjs
• typescript/src/abi/CATValidator.ts
• typescript/src/abi/catapultarFactoryV0.0.1.ts
• typescript/src/abi/catapultarFactoryV0.1.0.ts
• typescript/src/abi/catapultarV0.0.1.ts
• typescript/src/abi/catapultarV0.1.0.ts
• typescript/src/abi/mockerc20.ts
• typescript/src/catapultar/account.spec.ts
• typescript/src/catapultar/account.ts
• typescript/src/catapultar/catapultar.spec.ts
• typescript/src/catapultar/catapultar.ts
• typescript/src/config.ts
• typescript/src/global.d.ts
• typescript/src/index.ts
• typescript/src/transaction/constrainedtransaction.spec.ts
• typescript/src/transaction/constrainedtransaction.ts
• typescript/src/transaction/transaction.spec.ts
• typescript/src/transaction/transaction.ts
• typescript/src/types/types.ts
• typescript/src/utils/helpers.spec.ts
• typescript/src/utils/helpers.ts
• typescript/src/utils/signature.ts
• typescript/src/utils/viem.ts
• typescript/test/setup.ts
• typescript/tsconfig.base.json
• typescript/tsconfig.build.json
• typescript/tsconfig.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch balance-read

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 95.82993% with 102 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@19e16e4). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
typescript/src/catapultar/account.ts	89.07%	45 Missing ⚠️
typescript/src/catapultar/catapultar.ts	75.47%	39 Missing ⚠️
typescript/src/transaction/transaction.ts	94.07%	8 Missing ⚠️
typescript/src/utils/helpers.ts	91.83%	4 Missing ⚠️
typescript/test/setup.ts	83.33%	3 Missing ⚠️
typescript/src/utils/signature.ts	66.66%	2 Missing ⚠️
typescript/src/config.ts	95.23%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #21   +/-   ##
=======================================
  Coverage        ?   95.82%           
=======================================
  Files           ?       14           
  Lines           ?     2446           
  Branches        ?        0           
=======================================
  Hits            ?     2344           
  Misses          ?      102           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[aikido-pr-checks]

Large raw hex bytecode passed to an unchecked low-level .call. Replace with an explicit artifact or provide decoded source and justification so reviewers can inspect the deployed bytecode.

Details

✨ AI Reasoning
​A deployment script now performs a low-level call to address 0x4e59b4... with an enormous raw hex payload. This call executes dynamically constructed bytecode via .call(...) with a hard-coded hex blob. Embedding large raw bytecode strings in source makes the payload opaque to reviewers and hides the actual operations being performed. This pattern can be used to hide malicious or unexpected behavior because the hex is not human-readable and cannot be easily reviewed without decoding. The code element is a direct runtime call that executes the provided bytes; that is the precise location where intent is obscured.

🔧 How do I fix it?
Ensure code is transparent and not intentionally obfuscated. Avoid hiding functionality from code review. Focus on intent and deception, not specific patterns.

_{Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info}